Target found negligent in data breach

It's been one year since Target's (NYSE:TGT) data breach disrupted the retailer's holiday season, and now a Minnesota District Court has found Target negligent, paving the way for lawsuits as banks and financial institutions potentially seek compensation.

Target's data breach occurred in November and December 2013, and compromised the payment card information of 40 million shoppers and the personal information of 70 million. The culprit was a third party contractor, an HVAC professional, who in inadvertently allowed hackers access to the retailer's POS network.

And while the court acknowledged that third-party hackers were to blame, "Target played a key role in allowing the harm to occur," wrote Judge Paul Magnuson, according to InfoSecurity Magazine. "Indeed, Plaintiffs' allegation that Target purposely disabled one of the security features that would have prevented the harm is itself sufficient to plead a direct negligence case."

Lawyers for Target argued that the retailer had no responsibility to protect card issuers and Target had no special relationship with the issuers. There could be no basis to find Target was responsible in causing the third parties harm.

But negligence was found, thanks to Target's own choices. The retailer admittedly turned off its early warning FireEye system and ignored multiple warnings. And so, hackers infiltrated Target's poorly sequestered network.
The ruling, while opening the door for retailers to bear financial responsibility for costly data breaches, only affects those headquartered in Minnesota, or those that store data in that state.

But it does open the door for credit card issuers to seek restitution from retailers.

"Data breaches at retailers have cost credit unions and their members a minimum of $90 million--and those are the costs only for breaches at Target, for $30 million, and Home Depot, at nearly $60 million," said Credit Union National Association President and CEO Jim Nussle. "With the many other breaches that have also occurred--at Staples, Neiman-Marcus and others--certainly credit unions have incurred millions more in costs this year."

For more:
-Read the court ruling
-See this InfoSecurity Magazine story
-See this Credit Union National Association statement

Related stories:
Retail security still very much under attack
Add another to the list: Staples investigating data breach
Supervalu becomes latest data breach victim
Home Depot breach affects 56M debit, credit cards
The untold story of the Target data breach